Some configuration files are executables and so they require the
signature in the extended attribute. If they are not executable,
they can be skipped.
Examples for configuration files that are also executables are
the grub files in /etc/grub.d.
Signed-off-by: Stefan Berger <stef...@linux.vnet.ibm.com>
---
plugins/ima.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/plugins/ima.c b/plugins/ima.c
index be15ecf..76c7d3d 100644
--- a/plugins/ima.c
+++ b/plugins/ima.c
@@ -49,13 +49,18 @@ static rpmRC ima_psm_post(rpmPlugin plugin, rpmte te, int
res)
}
while (rpmfiNext(fi) >= 0) {
- /* Don't install signatures for (mutable) config files */
- if (!(rpmfiFFlags(fi) & RPMFILE_CONFIG)) {
- fpath = rpmfiFN(fi);
- fsig = rpmfiFSignature(fi, &len);
- if (fsig && (check_zero_hdr(fsig, len) == 0)) {
- lsetxattr(fpath, XATTR_NAME_IMA, fsig, len, 0);
- }
+ /* Don't install signatures for (mutable) files marked
+ * as config files unless they are also executable.
+ */
+ if (rpmfiFFlags(fi) & RPMFILE_CONFIG) {
+ if (!(rpmfiFMode(fi) & (S_IXUSR|S_IXGRP|S_IXOTH)))
+ continue;
+ }
+
+ fsig = rpmfiFSignature(fi, &len);
+ if (fsig && (check_zero_hdr(fsig, len) == 0)) {
+ fpath = rpmfiFN(fi);
+ lsetxattr(fpath, XATTR_NAME_IMA, fsig, len, 0);
}
}
exit:
--
2.5.5
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
